Citrix Virtual Desktop Service on Google Cloud


In this article we will walk through the detailed process of provisioning Citrix virtual apps and desktop services through MCS hosted in Google cloud platform


  • Google Cloud Account
  • A GCP project
  • GCP service account with GCP Roles
  • GCP API’s
  • VPC (Google cloud virtual private cloud )
  • DNS Policy
  • Cloud NAT (Optional :To allow outbound traffic )
  • CVAD Subscription

Diagram reference: Citrix Docs

Setting up Google Cloud Infrastructure

Creating GCP Project

A Google Cloud project is conceptually similar to the Azure subscription, in terms of billing, quotas, and limits. However, from a functional perspective, a Google Cloud project is more like a resource group in Azure. It’s a logical unit that cloud resources are deployed to.

Login to GCP cloud portal and browse to IAM & Admin-create a Project

Enable Google Cloud APIs
To use the Google Cloud functionality through the Citrix Virtual Apps and Desktops Full Configuration interface, enable these APIs in your Google Cloud project:

Compute Engine API
Cloud Resource Manager API
Identity and Access Management (IAM) API
Cloud Build API

In GCP console browse to APIs and Services > Dashboard

In the search box, type Compute Engine.
On the Compute Engine API page, select Enable.

Similarly enable the other APIs

Creating VPC

VPC is the basic concept of a virtual cloud network and similar to Azure vNet

Browse to Networking-VPC Network-VPC Networks

Enter the Details as highlighted such as VPC name, subnet details, region

Turn on Private google access to ensure that a VM in your subnet can access the Google APIs without a public IP address for MCS provisioning

Do not select any Firewall rules and DNS policy at this stage as we will create separately
Select Dynamic routing mode as Regional

Creating DNS Policy

We need to define DNS server for our VDI for the name resolution and it can be done through DNS policy and bind it to VPC. This concept is similar to defining custom DNS in Azure vNet

Note: If you use DNS policy with on-premise DNS server then you should have connectivity with DNS server either though VPN or interconnect, alternatively if you planned to host DNS server in GCP itself then make sure you create DNS forwarding zone and DNS peering between VDI VPC and VPC hosting the DNS server. Just performing network peering between 2 VPC doesn’t help in DNS resolution unlike Azure

Browse to Networking-Network Services-Cloud DNS

Enter the details such as Name, IP address of DNS server and add the VPC which we created earlier

Note: Make sure you’ve Firewall rules to allow ingress traffic from to your VPC hosting DNS server or in On-premise Network if you use DNS server hosted in on-premise as its a GCP requirements . (

Creating Firewall

By default all outgoing traffic is allowed from VPC however incoming traffic is blocked so GCP firewall policies selectively allow and deny traffic to VPC. This is similar to Azure Network security group (NSG)

Define the rule which is required for the VDI subnet (In this lab i am allowing rdp port from my public IP address to access the jumpbox VM in GCP)

Make sure to add ingress rule within the VDI subnet (to allow communication between cloud connector VM and VDIs)

Creating Service Account, IAM Roles, permissions

In the GCP console, navigate to IAM & Admin > Service accountsCREATE SERVICE ACCOUNT.

Select the service account and browse to KEYS-ADD KEY-Create new Key

Save the key as you need this key when creating a connection in the Citrix service.

In the GCP console, navigate to IAM & Admin > IAM-ADD
Enter the service account details under New Principles and add the below Permissions Compute Admin
Storage Admin
Cloud Build Editor
Service Account User


On the IAM page, locate the Cloud Build service account and then select the pencil icon to edit the service account. You can identify the Cloud Build service account by its user name, which is in this format:

On the Edit permissions page, select ADD ANOTHER ROLE to add the following roles to your Cloud Build service account one by one and then select SAVE.
Cloud Build Service Account
Compute Instance Admin
Service Account User

Cloud NAT (Optional )

It allows outbound communication to Virtual machine without public IP address and we need this to allow communication between GCP VPC and Citrix cloud or Internet .Its similar to Azure NAT gateway and it avoids requirement of public IP address

Note: If you have proxy server in your infra then NAT gateway is not required

In the GCP console, navigate to Networking> Network Services>Cloud NAT

Enter the details like name, VPC and create cloud router as shown below

Select the VDI subnet and choose NAT IP address as Automatic and select Create

So now we have completed the NAT gateway and allowed our VDI subnet so all outbound traffic to internet will go via NAT gateway

Cloud Connector and Master Image VM Creation

In the GCP console, navigate to Compute Engine> VM Instances

Enter the name for the VM, region and select the VM size as shown below

Select the OS, Version and Disk type as per the requirements and Network details like VPC, subnet

Similarly create one more Virtual machine for Master Image

Login to the Master image VM and install the VDA as shown below

Shutdown the VM and take disk snapshot from GCP console

Enter the details for snapshot like Name, Location

Citrix Cloud Configuration

Browse to and login with administrator account and create Resource Location

Install the Cloud Connector setup

Login to VM and browse to Citrix cloud portal to download the Cloud connector setup (Make sure to join the VM to domain)

Run the setup and sign in to Citrix cloud portal to proceed the installation

Select your tenent and Resource location as shown below

Post installation make sure all connectivity test is successful and in the cloud portal make sure your cloud connector is showing as healthy

Hosting Connection

In Citrix cloud console browse to CVAD service and select Hosting
Click on Add Connection and Resources

Enter the Details related to GCP cloud
Under Service account Key select the key which we downloaded earlier from GCP IAM

Select the Region and Network details such as VPC and subnet

Machine Catalog Creation using MCS

Now we have to create the machine catalog to provision VDIs and follow the below steps

Now we have deployed VDI in google cloud platform ,so create Delivery group accordingly to assign it to end users.

RD Client Behind Corporate Proxy

In a recent deployment I have come across an issue where users inside corporate network are unable to subscribe to AVD workspace over RD client but they are able to access via browser.

In Microsoft portal multiple customers reported the same issue unfortunately it remains unanswered

After gathering some more information on the infra its noted that in corporate network customer is using proxy server to reach internet over PAC file (please check below link for more details on PAC file)


Since the browser using PAC file to reach internet so due to this AVD connection working fine via browser, however RD client doesn’t support proxy PAC hence its not able to subscribe to AVD workspace


To make it work from RD client we need to configure below

  • Exclude below WVD URLs from proxy SSL interception


FSLogix Disk space Expansion

One of the very common request we often get in VDI environment is for the expansion of FSLogix profile disk. Though there is not proper articles from Microsoft for the disk expansion in this blog will explain how we can achieve it using simple diskpart commands

I highly recommend below points to consider while implementing FSLogix to avoid disk expansion requests

  • Implement O365 disk which will avoid storing office/teams related cached data to profile disk
  • Recommended to set 30 GB for each Profile and O365 disk
  • Implement FSlogix Exclusions where ever possible

Lets begin

Please make sure user is logged off from the VDI session and profile vdisk is not locked prior running below commands

Launch PowerShell and execute below Commands

Select Vdisk file =”\\share”
Expand Vdisk maximum=target size
attach vdisk
select partition 1
list partition 1
detach vdisk

Select the Vdisk from the share path (file server path/azure premium file share/Azure netapp file share )

Enter the size (in this blog we will increase disk from 30 to 40 GB )

You can verify by mounting the VHD or you can check from FSlogix tray as well from user session

Azure Virtual Desktop with Azure AD Join

Microsoft announced public preview of Azure AD join support for AVD, this will remove the dependence of having on-premise DC or ADDS or DC in Azure, infact it can remove the need for a DC entirely, simplifying the deployment and management of the environment.

In this blog will walk through the process of deploying and accessing Azure Active Directory joined virtual machines in Azure Virtual Desktop.

Note: AVD with cloud user + Azure AD join VM doesn’t support fslogix profile solution because both ANF and azure files doesn’t support authentication over SMB with Azure active directory

AVD with hybrid user +Azure AD join VM supports fslogix because hybrid user account has the ability to contact domain controller and authenticate SMB shares of ANF/Azure files

Use cases :

  • Dedicated/Personal desktop with local profile
  • Pooled desktop where users not required to save data , example users with applications that saves data on remote DB or server , example call center environment

Deploy Azure AD-joined VMs

Browse to AVD blade and select create host pool

Follow the normal procedure to create host pool

Select Directory as Azure Active Directory

Note: In this log I am not enrolling the VM to Intune

Create a workspace and click on review and create

Once the deployment is complete browse to hostpool and check the status of Azure AD joined VDI

To confirm the VM is joined to Azure AD you can check the VM extension

Configuring access to users :

To grant access to AVD either you can use cloud-only user accounts or hybrid users from the same Azure AD tenant

To access AVD with AAD joined VM we should add the user group under Desktop application group-assignment and we need to assign virtual machine user login role to same user group either on VMs/resource group level/subscription level, so its always good to add on resource group level where our AAD joined VMs resides

so lets create a AAD group and add some test user

Browse to Azure active directory and select group -New Group

Go the resource group where we deployed our VM and select Access Control (IAM)-assign virtual machine user login role to AAD group created earlier

assign the same group under AVD application group

To enable access from Windows devices not joined to Azure AD or from other clients like ios/android , add targetisaadjoined:i:1 in custom rdp properties the host pool.

User Experience

Azure Virtual Desktop doesn’t currently support single sign-on for Azure AD-joined VMs.

To verify the VM is joined to domain you can run dsregcmd/status

so we have logged into AAD joined VM with our cloud only user (we can use hybrid user account as well)

Now AVD market images comes with teams optimized as well so removing one task whcih we used to do manually

Conclusion: With support of AAD joined VM , now you don’t need on-premise DC or ADDS and these VMs can also be automatically enrolled in Intune for ease of management.

Deploy and Configure Microsoft monitoring/ Dependency agent with Log analytics workspace to AVD using Azure Policy

One of the main components of Azure virtual desktop is monitoring .To have more insight on AVD VMs you need to have Microsoft monitoring and dependent agent (MMA )installed and configured with log analytics workspace.

Note: You cannot install MMA on master image because when you deploy VMs from master image it wont create unique identity for each VMs similar to SCCM agent behavior so you have to deply these agents on each AVD VMS.

Installing and configuring MMA agents on each VMs will be tedious job if you have host pool with hundreds of VMs so we can achieve auto installation of MMA agents using Azure Policy .

Policy can be targeted on Subscription/Resource group level based on your requirement

URLs to be allowed for Azure monitor/log analytics service over port 443


Note: recommended to allow this directly via firewall without proxy

To begin with the configuration login to azure portal and search for Policy

We need to create Definition (it includes set of policies, location and image details and deployment parameters )

Select Initiative Definition

Under Basics -Enter the location as your subscription and name for the definition , click next

Under Polices –select the policies you want to deploy (in my case i am selecting dependent/log analytics agent deployment )

Skip group and select Initiative parameters Create Initiative parameter

Please note if you are creating VMs from market place image by default Policy will push agents to VMs, if you are creating VMs from custom image then we need to define the Image resource ID here (you can find the image ID under properties of Image or share image gallery)

Copy the Image resource ID

Enter the name as ListOfImageId and select Type as Array and under allowed values enter the Resource ID of the Image

Example : [“/subscriptions/94da6eb7-2927-4177-ad30-5c60bb5fc90c/resourceGroups/WVD-RG/providers/Microsoft.Compute/galleries/SIG/images/win10”]

Under Value type set as below and mention your log analytics workspace details -Select Review + Create

Now we have the Policy initiative definition and we need to assign this to either subscription/Resource Group

Select Assignment -Click on Assign initiative

Under Basics-Define the Scope where you want to apply the polices (either subscription or Resource Group)

Initiative Definition -Select the Definition we created earlier

Select the Image IDs

Select Create a remediation task

Enter the details as per your requirements and select Review + Create

To verify the deployment of MMA and dependent agent browse to azure portal and select the VM-Select Extension

Login to the Virtual machine and go to Appwiz.cpl and verify the installed agents

To verify VM is connected to log analytics workspace go to Control panel-Microsoft Monitoring agent-Azure Log analytics

Azure Virtual Desktop SSO with ADFS

Recently Microsoft announced support for SSO to AVD session hosts via ADFS, so in this blog we will walk though the prerequisites and configurations required to achieve SSO via ADFS

The concept is similar to Citrix federated authentication (FAS) where certificates will be issues by ADFS on the behalf of user to sign into session host since Windows OS does not support any kind of modern authentication apart from username/password and certificates (virtual smart card)


  • Active directory certificate service
  • Active Directory federation service
  • Azure AD connect
  • PowerShell with AVD modules
  • Public SSL certificate
  • AVD host pool should be in validation environment
  • Azure key vault

Note: SSO only supported in spring release and it wont support classic AVD and currently its in public preview so not recommended for production use until MS announce GA

Configuring ADFS

I am not covering adfs and azure ad connect configuration in this blog as there are several blogs available and you can refer to ITPROGUDE

Configuring certificates

We need to configure 2 types of certificates templates from internal CA

  • Enrollment agent certificate template
  • Smartcard Logon certificate template

Launch Active directory certificates authority and Certificate Templates, right-click Exchange Enrollment Agent (Offline Request) and select Duplicate Template.

  1. Select the General tab, then enter “ADFS Enrollment Agent” into the Template display name field. This will automatically set the template name to “ADFSEnrollmentAgent”.
  2. Select the Security tab, then select Add….
  3. Next, select Object Types…, then Service Accounts, and then OK.
  1. Enter the service account name for AD FS and select OK.

After the service account is added and is visible in the Security tab, select it in the Group or user names pane, select Allow for both “Enroll” and “Autoenroll” in the Permissions for the AD FS service account pane, then select OK to save.

To create the Smartcard Logon certificate template:

  1. Expand the Certificate Templates, right-click Smartcard Logon and select Duplicate Template.
  2. Select the General tab, then enter “ADFS SSO” into the Template display name field. This will automatically set the template name to “ADFSSSO”.
  3. Select the Subject name tab and then select Supply in the request. When you see a warning message, select OK.
  4. Select the Issuance Requirements tab.
  5. Select This number of authorized signatures and enter the value of 1.
  1. For Application policy, select Certificate Request Agent.
  2. Select the Security tab, then select Add….
  3. Select Object Types…Service Accounts, and OK.
  4. Enter the service account name for AD FS 
  5. After the service account is added and is visible in the Security tab, select it in the Group or user names pane, select Allow for both “Enroll” and “Autoenroll”, then select OK to save.

Publish the new certificate templates:

To enable the new certificate templates:

  1. Expand the Certification Authority on the left-hand pane and open Certificate Templates.
  2. Right-click in the middle pane that shows the list of certificate templates, select New, then select Certificate Template to Issue.
  3. Select both ADFS Enrollment Agent and ADFS SSO, then select OK. You should see both templates in the middle pane.

Key vault Configuration

Browse to Azure portal and search for key vault and create

Configuring ADFS for SSO

We need to configure AD FS servers to use the new certificate templates and set the relying-party trust to support SSO.

In this blog I am using shared secret to generate token which is used to sign in to windows and will be storing the shared key in azure Key vault and make sure to provide proper permissions (get,sign) to AVD on key vault

Launch PowerShell on ADFS server and run the below commands

Set-AdfsCertificateAuthority -EnrollmentAgentCertificateTemplate “ADFSEnrollmentAgent” -LogonCertificateTemplate “ADFSSSO” -EnrollmentAgent

Run the below script and replace adfs server name with your environment

Install-Script -Name ConfigureWVDSSO -Force
$config = ConfigureWVDSSO.ps1 -ADFSAuthority “” -WvdWebAppAppIDUri “” -RdWebURL “”

Set the access policy on the Azure Key Vault by running the following PowerShell cmdlet:

Set-AzKeyVaultAccessPolicy -VaultName “kubs1” -ServicePrincipalName 9cdead84-a844-4324-93f2-b2e6bb768d07 -PermissionsToSecrets get -PermissionsToKeys sign

Verify the permissions under key vault

To Store the shared key in Azure Key Vault run the below command (replace hostpool and resource group name as per your environment )

$hp = Get-AzWvdHostPool -Name “FIDO-HP” -ResourceGroupName “wvd-rg”
$secret = Set-AzKeyVaultSecret -VaultName “kubs1” -Name “adfsssosecret” -SecretValue (ConvertTo-SecureString -String $config.SSOClientSecret -AsPlainText -Force) -Tag @{ ‘AllowedWVDSubscriptions’ = $hp.Id.Split(‘/’)[2]}

To verify the secret in key vault, browse to Key vault-Secret

Now we need to update our AVD host pool with ADFS details , so we need to run below commands

Update-AzWvdHostPool -Name “FIDO-HP” -ResourceGroupName “wvd-rg” -SsoadfsAuthority “” -SsoClientId “” -SsoSecretType SharedKeyInKeyVault -SsoClientSecretKeyVaultPath $secret.Id

To verify please run below command and check the parameters

Get-AzWvdHostPool -Name “FIDO-HP” -ResourceGroupName “WVD-RG” | fl *

User Experience

Login to RDweb or RD client and and try to launch the AVD and it should not prompt for credentials for second time like it usually do

On your Certificate server you can see smart card certificate (virtual smartcard/login token) issued to the user

Conclusion: Though Microsoft announced their roadmap to support Azure AD authentication (SSO) to AVD session hosts but this method will help those who still rely on on-premise ADFS for authentication

Start VM on Connect for Pooled WVD Host pool

Microsoft announced support for VM on connect for pooled WVD host pool. The start VM on connect (preview) feature lets you save costs by allowing end users to turn on their VMs only when they need them. You can then turn off VMs when they’re not needed.

In this blog we will walk through how to configure start VM on connect and its mainly divided into 3 parts

  • Configure custom RBAC role to start the VM
  • Configure start VM on connect via PowerShell
  • Configure Azure automation to stop the VM to save cost

We need to define custom RBAC role with start and read permission on VM and assign it to WVD

Browse to subscription and click on Access Control-Add-Add custom Role

Select Permission to read and stat the VM and click on Review + Create

Assign the custom role to Windows Virtual Desktop

Browse to Subscription and select Access Control-Add-Add Role assignment

Select the custom role we created earlier and Assign access to select windows Virtual Desktop

To configure Start VM on Connect using PowerShell:

  1. Open a PowerShell command window.
  2. Run the following cmdlet to enable Start VM on Connect:

Update-AzWvdHostPool -ResourceGroupName -Name -StartVMOnConnect:$true

Now we need to create Azure automation to stop the VMs

For the automation we need log analytics workspace and automation account (If you have existing log analytics workspace/Automation account you can use it or create new as per below )

Search for Start/Stop VM in market place and click on Create

Select the workspace and Automation account and click on Configure Parameters

Enter the Resource group details on which WVD VMs are residing and enter the VMs if any to exclude from stop and set the schedule for stopping the VM as per your requirement (In this wizard we will mention VM start time and later we will disable it and we will keep only stop schedule)

Once it created browse to Resource group and search for Scheduledstartstop and select the highlighted blade

Select the Scheduled StartVM and Disable and Save

User experience

In typical sessions, the time it takes for a user to connect to a deallocated VM increases because the VM needs time to turn on again, much like turning on a physical computer. The Remote Desktop client has an indicator that lets the user know the PC is being powered on while they’re connecting.

We can see we have 2 VMs in the host pool and both are in stop state
When you launch the WVD it performs start VM on Connect
VM started on Connect and it serving user session

Security Best Practice for FSlogix profile Share hosted in Azure Files

Azure Files is a fully-managed service you can use to operate a file share in the Azure cloud. It is based on the Server Message Block (SMB) protocol and enables you to mount and sync files across cloud and on-premises shares.

In this blog we will walk through some of the security best practice to secure the FSlogix profile share hosted in Azure file

Make sure you have configured the storage account with below settings

  • Secure transfer required-Enabled
  • Allow Public blob access required -Disabled
  • Minimum TLS version-Version 1.2
  • Soft Delete-Enable
  • Use Private endpoint instead of service endpoint (Please refer to below section to configure Private endpoint ).Azure Private Endpoint is a network interface that connects you privately and securely to a storage service powered by Azure Private Link. Private Endpoint uses a private IP address from your VNet, effectively bringing the service into your VNet and you can benefit from low latency and security.
  • Use Customer managed key for encryption of Azure storage account (Refer to below section on configuring Customer managed key for storage accounts)

Configuring Key vault and CMK for storage account

Configuring Private endpoint for storage account

Browse to storage account and click on network-Private endpoint

Select the subscription, resource group ,name and region

Select the virtual network and subnet then click review +create

Once created browse to networking and make sure Private endpoint is selected

To verify the Private endpoint , try to ping the storage URL and your can notice its resolving to private IP address of your subnet .

Note: If you configured your on-premise DNS server or custom DNS server on the vnet ,kindly create necessary conditional forwarder to resolve the private end point (refer below MS link).

Azure Private Endpoint DNS configuration | Microsoft Docs

Backup for FSlogix profile hosted in Azure Premium files for WVD Environment

When disaster strikes, we all shout for it. We assume, wrongly, that every business has a long term backup strategy – In fact, if you have one, you’re halfway there to protecting your business. But a corporate backup strategy is only valid if it’s regularly tested and you can guarantee the process works. Both for your peace of mind as well as your data security.

If your IT backup plan fails it could have catastrophic effects on your business. Not only from a compliance and regulatory perspective but from a reputational point of view too. 

In this blog I will walk through how to configure Azure backup and restore FSlogix profile which is hosted in Azure premium files.


  • Recovery service vaults

Note: Please make sure to create separate shared folder for profile and Office 365(ODFC) container so that you can exclude backup for Office 365 (ODFC) share since it has only cached data so backup is not required and you can save cost as well

In this blog I am not going through creating Azure files for FSlogix as there are many blogs available in the internet and I strongly recommend you can follow Mr.T-Bone blog for the configuration Azure fileshare for WVD with Fslogix – Mr T-Bone´s Blog

So lets begin..

From azure portal search for Recovery Service vaults

Click on create and enter the necessary details like RG name and vault name then click Review+create

Click on Go to resource

Browse to Properties-Backup Configuration-Select Locally redundant (This option you cannot be changed later so configure according to your requirements )

Under Recovery services vaults blade browse to Backup and select Azure File share and click Backup

Select the storage account and add the share

Select Create a new Backup Policy and configure it as per the requirement

Verify the Backup items

Click on Backup now to initiate backup (forceful back for the first time)

Verify the status under Backup Jobs

Now Lets try to restore FSlogix profile

Browse to Backup items and select the share and click on File Recovery

Select the Restore point and destination

Click on Add files and select the VHD path

Click on Restore

You can see the progress of restore under Backup Jobs

Addressing FSlogix User Profile issues in WVD Environment

One of the most common issue in WVD environment is temp profile where user unable to retrieve data and profile settings upon login to VDI .

The main reason for this is VDI profile disk is not getting detached from the previous session may be due to improper logoff which leads to create local profile in WVD host in the next user login , so when there is a local profile present in VDI host , it doesn’t load FSlogix profile disk which leads to temp/Inactive profile.

Below are some settings to consider when configuring FSLOGIX profile in Single/Multisession WVD to avoid temp profile issues.

  • Configure GPO “Delete Local profile when Fslogix profile should apply “
  • Configure Reboot Computer when user logs off (For single session VDI)
  • Schedule a daily reboot cycle for WVD host-pool using SCCM or Policies
  • Always add FXtray app to startup to quickly identify the FSlogix profile disk status when user reports issue on profile


In a pooled WVD environment its difficult to search for users past login history to check and delete the local profile so this can be addressed using Azure Log analytics Kusto Query (Below script is only applicable to WVD Classic )

Note : Make sure you configured your WVD host with Log analytics workspace to use the query

In azure portal search for Log analytics workspaces

Select the WVD Workspace anf browse to Logs

Run the below query and select the duration and click on Run, which will provide user login history on WVD , so that you can delete local profile on these hosts to solve temp profile issue

| where UserName_s contains “”
| extend Duration = EndTime_t – StartTime_t
| project SessionHostName_s , UserName_s,
Duration, StartTime_t, EndTime_t

Create your website with
Get started
%d bloggers like this: